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WE CLAIM: 

1. A policy setting support tool for creating, in a computer system equipped with 
an access control unit that controls access to computer-managed resources based on 
policies, said policies, said policy setting support tool comprising: 

an information database arranged by the kind of subject containing sample policies 
prepared as standard or recommended policies, an access log holding a history of the 
normal behavior of the subject, and installation information including the path to the 
subject installed in said computer system; 

an information database arranged by the kind of object containing association 
information representing the subjects that are most frequently used to access it; 
an access monitoring unit for monitoring the behavior of the subject and recording it in 
said access log; 

a differential detection unit for collating said installation information with said sample 
policy and detecting the differences; 

a policy creation unit for creating a draft policy from said sample policy, said association 
information, and said differences detected by said differential detection unit; and 
a user interface unit for presenting said draft policy to the user, revising said draft 
policy as directed by the user, and saving the revised policy as the final policy. 

2. The policy setting support tool of claim 1, further comprising: 

a unit for creating a draft policy from one or more of said sample policy, said 
association information, and said access log, in accordance with the directions given by 
the user through said user interface unit, and 

a unit for setting up a policy by accepting requests for revising said draft policy 
and saving the revised policy. 

3. A policy setting support tool for maintaining, in a computer system equipped 
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with an access control unit that controls access to computer-managed resources based 
on policies, said policies, said policy setting support tool comprising: 

an information database or a set of information database containing most 
up-to-date information regarding the subjects and objects of access; 

a differential detection unit for collating the most up-to-date information 
regarding the subject and object of the access retrieved from said information database 
or said set of information database with the policies that are already set up, and 
detecting the items that need to be revised; 

a policy creation unit for creating a draft policy based on the result of detection 
produced by said differential detection unit; and 

a user interface unit for presenting said draft policy to the user for visual 
confirmation and revising said draft policy as directed by the user. 

4. The policy setting support tool of claim 3, wherein said differential detection 
unit performs the collation and detection processing at regular intervals or at the 
demand of the user, and upon detecting any difference, presents it to the user through 
said user interface unit, and further wherein the user of said policy setting support tool 
visually checks said difference presented to the user, determines whether the policy 
should be revised as presented, revises it if and as necessary through said user interface 
unit, and saves the final policy. 

5. A policy setting support tool for creating, in a computer system equipped with 
an access control unit that controls access to computer-managed resources based on 
policies, said policies, said policy setting support tool comprising: 

an information database holding, for each object of access, information on the 
subjects that are most frequently used as a unit of access to it, and 

a unit for creating a policy from the information held in said association 



40 



340300055E 



information. 

6. The policy setting support tool of claim 5, further comprising: 

a subject-specifying unit for specifying unit of access to the object according to 
its purpose, and 

a unit for creating said policy while designating the program specified by said 
subject-specifying unit as the subject that is permitted to access multiple kinds of object. 

7. The policy setting support tool of claim 5, wherein said computer system 
includes a collection of identifications of the subjects equipped with an object-sharing 
handling unit for sharing objects among multiple subjects and a collection of 
object- sharing information listing the types of object that can be accessed by each 
subject, said policy setting support tool further comprising a unit for creating a policy 
that permits all or some of the types of access from a subject registered in said collection 
of object- sharing information to objects available to said subject. 

8. The policy setting support tool of claim 5, further comprising a unit for being 
notified by said access control unit of any access attempts violating said policy, for 
notifying the user of said computer system administering objects to be accessed about 
said access attempts, and for carrying out a process based on a judgment made by said 
user in response to the notification, wherein^ 

said judgment made by said user is a choice between thereafter permitting all 
of said access attempts violating said policy, permitting said access attempt only this 
time, and prohibiting all of said access attempts violating said policy; 

in case said judgment made by said user is to thereafter permit all of said 
access attempts violating said policy, said process is to revise said policy so as to make 
said access attempts legitimate and to notify said access control unit of the legitimacy of 
said access attempts; 
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in case said judgment made by said user is to permit said access attempt only 
this time, said process is to notify said access control unit of the legitimacy of said access 
attempt, without revising said policy; and 

in case said judgment made by said user is to prohibit all of said access 
attempts violating said policy, said process is to notify said access control unit of the 
illegitimacy of said access attempts, without revising said policy. 

9. The policy setting support tool of claim 5, further comprising a unit for being 
notified by said access control unit of any access attempts to an object not registered in 
the collection of said policies coming from a subject associated with said object, for 
notifying the user of said computer system about said access attempts, and for carrying 
out a process based on a judgment made by said user in response to the notification, 
wherein : 

said judgment made by said user is a choice between permitting and 
prohibiting said access attempt made to said object not registered in the collection of 
said policies coming from a subject associated with said object; 

in case said judgment made by said user is to permit said access attempt, said 
process is to revise said policy so as to make said access attempt legitimate and to notify 
said access control unit of the legitimacy of said access attempt; and 

in case said judgment made by said user is to prohibit said access attempt, said 
process is to notify said access control unit of the illegitimacy of said access attempt, 
without revising said policy. 

10. The policy setting support tool of claim 5, further comprising a unit for being 
notified by said access control unit of any access attempts coming from a subject which 
only partially matches the collection of said policies, for notifying the user of said 
computer system about said access attempts, and for carrying out a process based on a 
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judgment made by said user in response to the notification, wherein: 

said judgment made by said user is a choice between permitting and 

prohibiting said access attempt made by said subject; 

in case said judgment made by said user is to permit said access attempt, said 

process is to revise said policy so as to make said access attempt legitimate and to notify 

said access control unit of the legitimacy of said access attempt; and 

in case said judgment made by said user is to prohibit said access attempt, said 

process is to notify said access control unit of the illegitimacy of said access attempt, 

without revising said policy. 
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